When following the instructions for adding a Yubikey with u2f authentication, the instructions could perhaps be a bit clearer or expanded. Because before adding a line to a PAM module, you need to also either:
run: sudo authselect select sssd with-pam-u2f
or really make sure the line you add is below system-auth.

I did both the second time around so I can't verify which one fixes it, but if you don't properly do this but set it in: /etc/pam.d/sudo, your machine is now "bricked" because you can't authenticate as root anymore.

Fairly easily fixable if you plug a live cd usb in, but still.
Would be nice if anyone knows which of the above mentioned causes the issue and maybe we could add either like a CAUTION: line or the additional install line.